Site https://online.citi.com/US/JRS/portal/index.do
Accept from https://start.me/* .citi.com
Deny
Site .online.citi.com
Accept from .citi.com
Deny

It does reduce attack surface slightly, but not by that much. Especially since only the https version of start.me is allowed to link the bank site, and you're already trusting start.me not to abuse it.

*Always* check the changelogs BEFORE updating that important software!